DESPITE THE ENHANCED attention given to security in the post-9-11 era, security managers continue to face two enormous and related challenges: How to prove the department's return on investment (ROI) and how to allocate limited security resources efficiently. These challenges are all the more difficult when security must also use resources for nonsecurity tasks. The security department of Carolinas HealthCare System, where the author is manager of the Investigations and Training Division, felt these pressures keenly. The organization includes 15 hospitals, several long-term care facilities, and a network of more than 500 physicians and other health practitioners throughout the Carolinas. The facilities, which are owned, leased, or managed, range from small rural practices to large urban hospitals with hundreds of beds. Each has widely different needs and resources.
LAST YEAR, the department began researching a method of analyzing facilities to evaluate the state of security at each, as a guide to how budget monies and precious resources such as manpower and technological aids could best be allocated. The research team chose a self-assessment method that looked at local crime statistics, traditional "security-sensitive" areas of the hospital, and existing staffing and security measures in place at each facility. What follows is a discussion of the risk-measurement methodology and how it was used with two of Carolinas HealthCare System's facilities. It should be noted, however, that this method is not meant to take the place of a more extensive and formal third-party assessment. Those are still needed at reasonable intervals.
Methodology. The approach selected by security was a point-allocation system, where each risk and each countermeasure has an assigned point value. It works by adding points based on risks faced by a particular facility and subtracting points because of any resources assigned to that facility to mitigate those risks. The total value is compared against a numerical scale of overall security risk.
The system was created by the security department, which wanted to develop an easily quantifiable risk-assessment functionality that would be appropriate for every facility in the organization's network, large or small; and since it is used to help in the budgeting process, the assessment speaks the language of its audience. The point system can be changed as necessary to fit any facility or group of facilities, as long as it is applied consistently throughout. Results obtained from the assessments conducted by the author have correlated closely to the reports compiled by the network's electronic incident-management system.
Base range. The system begins with a base value of "o" points, regardless of the size, location, or type of facility being assessed. The assessor must then decide on a score range as it relates to the facility's overall security risk. The range used to evaluate the examples that follow was 0-25 for low risk, 25-50 for moderate risk, 50-75 for high risk, and more than 75 for severe risk. (These categories can also have an assigned color-coded value, such as green for low, yellow for moderate, orange for high, and red for severe. Color codes translate more easily in a PowerPoint presentation.)
Police service calls. The assessor first determines the relative risk level of the neighborhood by discovering the number of calls for service that local law enforcement has received within a three-quarter-mile radius of the facility. The three-quarter-mile radius is suggested because this distance should include the immediate vicinity of the site without overly extending the area measured. When the assessment involves a very large facility where the campus itself is more than three-quarters of a mile across, this radius will need to be adjusted accordingly. For example, for a rural facility where fewer than 200 people live within a mile of the campus, assessors obtained data from local police and then expanded the radius to five miles from the facility. …